textdrop.sh
Guide · Sensitive files

How to share an API key or .env file.

Pasting a key in Slack is the dev-team equivalent of taping it to the office window. Here's how to hand off credentials without leaving a copy in chat, email, or anyone's Downloads folder.

May 26, 20265 min read

The short answer

Paste the key or full .env into textdrop.sh as code, turn on burn-after-read, set an access password, and pick a 1-hour expiry. Send the link in one channel and the access password in another. Rotate the key if it ever lived in chat or email before.

Do this. Not that.

  • Do
  • One-time encrypted link with burn-after-read and a password
  • Your team's secret manager (1Password, Doppler, Vault) if both sides have access
  • A keys-only handoff in person on a freshly cleared terminal buffer
  • Don't
  • Slack or Teams DMs. Retained, indexed, and exportable.
  • Email. Sits in plaintext on four servers and any backup tape.
  • Pull request, gist, or Jira ticket. Indexed by bots within minutes.

Share a key or .env now

Drop your key or .env contents below.

Code format, burn-after-read, password protection, and a 1-hour expiry are already on. Hit Share, then send the link.

Send the link in one channel and the access password in another.

Why this matters

A leaked API key isn't theoretical risk. It's a billing bill, an exfiltration incident, and an incident postmortem rolled into one. Most leaks aren't hacks. They're a key that sat in Slack for six months and got pulled out by an export, a screenshot, or a bot scraping public repos. A one-time encrypted link sends a pointer instead of the secret, then deletes itself.

Common questions

Why can't I just paste the API key in Slack?+

Slack retains messages by default, indexes them for search, and exposes them to anyone who joins the channel later or to anyone who can access an export. Even after deletion, the key has likely been screenshotted, cached, or backed up.

Is it safe to email a .env file?+

No. The file sits in plaintext on the sender's device, the recipient's device, and both providers' mail servers, vulnerable to any future breach, backup, or admin search. If you must email anything, email the link to an encrypted paste, not the secrets themselves.

Should I rotate the key after sharing it?+

If the key was ever pasted into chat, email, or a ticket, yes. If it was only sent through a one-time encrypted link that has since been read or expired, rotation is good hygiene but no longer urgent.

What about 1Password or another secret manager?+

Great when both sides use the same tool and it supports cross-team or cross-org sharing. For one-off handoffs to contractors, freelancers, or candidates who don't have a seat, a one-time encrypted link is faster and leaves no audit residue.

Can I share a multi-line .env file in one paste?+

Yes. Paste the entire file. Pick the code format with a generic language like ini or bash so it stays readable, and the recipient can copy it straight into their project.

Keep reading

Guide
How to share meeting notes

Skip the doc, the wiki, and the email thread. Drop your notes into a Markdown paste, set an expiry, and send a single link your team can read in their browser.

Reference
How the encryption works

AES-256-GCM, PBKDF2 key wrapping, and what zero-knowledge actually means here.